Hi everyone, I`m trying to enable log forwarding from ossec server to syslog by enabling client-syslog option from ossec-control script. Running ossec-control startshows that ossec-csyslogd is started but after that running ossec-control status ossec-csyslogd dies. When debug is enabled everything is working as it should and syslog receives messages. Ossec server 2.7, OS RHEL5.9 i386, selinux disabled. Any idea anyone where could be a problem?
[root@~ bin]# ./ossec-control enable client-syslog
[root@~ bin]# ./ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
ossec-maild not running ..
ossec-execd not running ..
ossec-csyslogd not running ..
OSSEC HIDS v2.7 Stopped
Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
Started ossec-csyslogd...
2013/02/18 14:14:25 ossec-maild: INFO: E-Mail notification disabled. Clean
Exit.
Started
ossec-maild...
Started
ossec-execd...
Started
ossec-analysisd...
Started
ossec-logcollector...
Started
ossec-remoted...
Started
ossec-syscheckd...
Started
ossec-monitord...
Completed.
[root@~ bin]# ./ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd not running...
ossec-csyslogd: Process 6678 not used by ossec, removing ..
ossec-csyslogd not running...
ossec.log contains only one record about ossec-csyslogd, otherwise it`s
clean.
2013/02/18 14:14:25 ossec-csyslogd: INFO: Started (pid: 6678).
[root@~ bin]# ./ossec-control enable
debug
[root@~ bin]# ./ossec-control
restart
Killing ossec-monitord
..
Killing ossec-logcollector
..
Killing ossec-remoted
..
Killing ossec-syscheckd
..
Killing ossec-analysisd
..
ossec-maild not running
..
ossec-execd not running
..
ossec-csyslogd not running
..
OSSEC HIDS v2.7
Stopped
Starting OSSEC HIDS v2.7 (by Trend Micro
Inc.)...
2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting
...
Started
ossec-csyslogd...
2013/02/18 14:15:41 ossec-maild: DEBUG: Starting
...
2013/02/18 14:15:41 ossec-maild: INFO: E-Mail notification disabled. Clean
Exit.
Started
ossec-maild...
Started
ossec-execd...
2013/02/18 14:15:41 ossec-analysisd: DEBUG: Starting
...
2013/02/18 14:15:41 ossec-analysisd: DEBUG: Found user/group
...
2013/02/18 14:15:41 ossec-analysisd: DEBUG: Active response initialized
...
2013/02/18 14:15:41 adding rule: ...... [adding all rules]
2013/02/18 14:15:41 ossec-analysisd: DEBUG: Read configuration
...
Started
ossec-analysisd...
2013/02/18 14:15:41 ossec-logcollector: DEBUG: Starting
...
Started
ossec-logcollector...
2013/02/18 14:15:41 ossec-remoted: DEBUG: Starting
...
Started
ossec-remoted...
2013/02/18 14:15:41 ossec-rootcheck: DEBUG: Starting
...
2013/02/18 14:15:41 ossec-rootcheck: Starting queue
...
2013/02/18 14:15:42 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '110592'.
Started
ossec-syscheckd...
2013/02/18 14:15:42 ossec-monitord: DEBUG: Starting
...
Started
ossec-monitord...
Completed.
[root@~ bin]# ./ossec-control status
ossec-monitord is
running...
ossec-logcollector is
running...
ossec-remoted is
running...
ossec-syscheckd is
running...
ossec-analysisd is
running...
ossec-maild not
running...
ossec-execd not
running...
ossec-csyslogd is running...
ossec.log shows a bit more info now:
2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting
...
2013/02/18 14:15:41 ossec-csyslogd: INFO: Chrooted to directory:
/usr2/ossec, using user:
ossecm
2013/02/18 14:15:41 ossec-csyslogd: INFO: Started (pid:
6883).
2013/02/18 14:15:41 ossec-csyslogd: INFO: File queue
connected.
2013/02/18 14:15:41 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
'[syslog servr ip]:514'.
After disabling debug on status query process dies again.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
